PRIVATELOG Malware

The PRIVATELOG Malware is a unique threat discovered by the analysts at the Mandiant Advanced Practices team. The threat is established as a new malware family and its intended use appears to be as a delivery system for later-stage payloads on the compromised systems. So far, PRIVATELOG and its installer named STASHLOG have not been observed in live attack campaigns, which could indicate that they are still in development. 

PRIVATELOG Exploits CLFS

The PRIVTELOG Malware abuses the Common Log File System (CLFS) to hide the intended next-stage payload in the Registry transaction files. CLFS was developed by Microsoft and introduced with Windows Vista and Windows Server 2003 R2. It is a log framework that provides programs with API functions related to creating, storing and reading log data. The CLFS file format is not widely used and, as such, the attackers can hide their corrupted data as log records that will be hard to notice. 

Technical Details

PRIVATELOG uses code obfuscations, a typical technique observed in most malware families, but it introduces an uncomment aspect. The threat encrypts each byte using XOR with a hard-coded byte inline without loops. In practice, this means that each string is encrypted with a unique byte stream. 

On the system, PRIVATELOG takes the appearance of an un-obfuscated 64-bit DLL named 'prntvpt.dll.' It tries to imitate the legitimate 'prntvpt.dll' files by containing similar exports but, in the case of the corrupted file, these exports have no functionality. 

To load and execute DLL payload, PRIVATELOG employs a rarely encountered technique involving NTFS transactions. In essence, the method appears to be similar to the Phantom DLL hollowing technique.